Other Matters: Documented Evidence to Test System Access Controls

In performing our evaluation of the Executive Office of Housing and Economic Development’s (EOHED’s) internal controls, we intended to review and assess certain system access controls related to EOHED’s network (specifically, whether information system users signed access agreements before accessing EOHED’s network and whether EOHED revoked the access rights of terminated users in a timely manner). We selected samples of users who were hired by EOHED agencies during our audit period, as well as samples of users who terminated their employment at EOHED agencies during this period, to test these controls. We asked EOHED for the necessary information, which included supporting documentation to verify the dates of each employee’s first access to the network and of each employee’s termination of user access rights within the network. EOHED management responded in a letter that this information was not available because it “is not captured nor logged in a manner that depicts an accurate history of this activity.”

As a best practice, Section PS-6 of Revision 4 of the National Institute of Standards and Technology Special Publication 800-53 states that users who need access to organizational information and information systems should sign appropriate access agreements before being granted access. Additionally, Section 6.1.6.2.1 of the Executive Office of Technology Services and Security (EOTSS) Information Security Standard IS.003, “Access Management,” states that upon termination, users’ access to information systems must be “removed within 24 business hours.”

EOHED should implement procedures to provide supporting evidence that its controls are working as designed in compliance with EOTSS standards and industry best practices.

As of now, new employees are provided user access to the EOHED network when they are credentialed and start employment, though neither EOHED nor EOTSS has in place a system to track the date and time of a new employee’s first use of the EOHED network. Similarly, EOTSS does not record the date and time when user access rights are terminated. In response to your office’s recommendation, EOHED will consult with EOTSS to determine if steps can be taken to document this information.

As previously noted, during our audit, we identified areas in EOHED’s information technology (IT) environment that we thought could be improved. We decided that these issues were significant enough to present in the “Other Matters” section of this report for management’s consideration. Although we are confident that the IT control enhancements we suggest would strengthen EOHED’s control environment and improve its IT security, we acknowledge that it is ultimately up to EOHED management to determine what measures to take to address these issues given the agency’s work environment and available resources. We are encouraged by EOHED’s acknowledgement that improvements can be made in the areas identified and by its willingness to take the measures it deems feasible to enhance IT controls over these areas.